From IEDs to ICDs? Credible threat led to disabling Cheney’s ICD in 2007

Oct 20, 2013

ACC News Story

Share via:

Font Size

A

A

A

Everyone knows the risk of IEDs (improvised explosive devices), but what about a terrorist attack via ICD: implantable cardioverter defibrillator? Former Vice President Dick Cheney told "60 Minutes" on October 20, that when his ICD was replaced in 2007, his cardiologist, Jonathan S. Reiner, MD, George Washington University Hospital, had the device's wireless function disabled so a terrorist couldn't use it send his heart fatal shocks.

Mr. Cheney told Sanjay Gupta, MD: "I was aware of the danger...that existed...I found it credible." That possibility was subsequently woven into the plot of the TV show "Homeland." Asked about the program, Mr. Cheney responded, “I know from the experience we had and the necessity for adjusting my own device, that it was an accurate portrayal of what was possible.”

Until recently, few people outside of medicine were aware of the potential of ICDs and other medical devices as terrorist targets. In April 2012, CardioSource WorldNews featured a report on the potential hacking of medical devices (click here to read that CSWN feature story). Two weeks later, the federal government issued a security bulletin warning of "new vulnerabilities to patients and medical facilities."

Kevin Fu, an assistant professor in computer science at the University of Massachusetts Amherst, demonstrated a proof of concept attack at an Emory Tech Conference on how to illicitly access an implanted medical device. He pointed to the growing number of pacemakers and defibrillators that communicate via the Internet using a short range wireless link.

Fu showed that a device could be built with off-the-shelf components allowing illicit communication with a device. The exploit was possible due to a communications feature left active in the device intended to be used during quality control at the manufacturing stage but had not been turned off. The only additional information needed to gain access to the device was the patient's name.